fix(release): align module reference updates and include Terraform assets

.releaserc.json

@@ -35,7 +35,8 @@
         "assets": [
           "CHANGELOG.md",
           "infrastructure/modules/**/README.md",
-          "infrastructure/modules/**/context.tf"
+          "infrastructure/modules/**/context.tf",
+          "infrastructure/modules/**/*.tf"
         ],
         "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
       }

infrastructure/modules/guardduty/main.tf

@@ -119,7 +119,7 @@ resource "aws_guardduty_detector_feature" "eks_runtime_monitoring" {
 # are derived from the same context but disambiguated from the
 # detector.
 module "findings_label" {
-  source  = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/tags?ref=v2.3.0"
+  source  = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/tags?ref=v2.4.0"
   context = module.this.context
 
   attributes = concat(module.this.attributes, ["findings"])

scripts/tests/release-config.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -euo pipefail
+
+cd "$(git rev-parse --show-toplevel)"
+
+# Guardrail test: ensure semantic-release/git assets include the file types
+# that the release updater can modify. This prevents updates being generated
+# in prepare but silently omitted from the release commit.
+node <<'EOF'
+const fs = require("node:fs");
+
+const releasercPath = ".releaserc.json";
+const requiredAssets = [
+  "CHANGELOG.md",
+  "infrastructure/modules/**/README.md",
+  "infrastructure/modules/**/context.tf",
+  "infrastructure/modules/**/*.tf"
+];
+
+const config = JSON.parse(fs.readFileSync(releasercPath, "utf8"));
+const plugins = Array.isArray(config.plugins) ? config.plugins : [];
+
+const gitPlugin = plugins.find(
+  (entry) => Array.isArray(entry) && entry[0] === "@semantic-release/git"
+);
+
+if (!gitPlugin) {
+  console.error("release-config test failed: @semantic-release/git plugin not found in .releaserc.json");
+  process.exit(1);
+}
+
+const gitOptions = gitPlugin[1] || {};
+const assets = Array.isArray(gitOptions.assets) ? gitOptions.assets : [];
+const missing = requiredAssets.filter((asset) => !assets.includes(asset));
+
+if (missing.length > 0) {
+  console.error("release-config test failed: missing required @semantic-release/git assets:");
+  for (const asset of missing) {
+    console.error(`- ${asset}`);
+  }
+  process.exit(1);
+}
+
+console.log("release-config test passed");
+EOF

scripts/tests/unit.sh

@@ -17,4 +17,5 @@ cd "$(git rev-parse --show-toplevel)"
 # tests from here. If you want to run other test suites, see the predefined
 # tasks in scripts/test.mk.
 
+./scripts/tests/release-config.sh
 ./scripts/tests/release-updater.sh